Re: [exim] sudo - iptables trick

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Walt Reed
Datum:  
To: Tim Jackson
CC: exim users
Betreff: Re: [exim] sudo - iptables trick
On Sun, Apr 16, 2006 at 12:39:49PM +0100, Tim Jackson said:
> >It depends. Obviously if you have
> >
> >mail ALL=(root) NOPASSWD ALL
> >
> >then that's not a good idea, but if you restrict mail to running just
> >some wrapper scripts that invoke iptables appropriately, then it is
> >reasonably secure.
>
> Except that a compromise of "mail" means a root compromise. It's rather
> a shame to throw away all Exim's careful user-switching (to try to limit
> the effect of any compromise) just so you can do iptables rules.


I don't think the OP was suggesting using that line in sudoers as is - I
think the OP was suggesting that you NOT use that line, but configure
sudo to allow a very specific script to be run. In that case, it's
reasonably secure and does NOT necesarily mean a root compromise.